svn commit: r352027 - in stable: 11/lib/libc/nameser 12/lib/libc/nameser
Cy Schubert
cy at FreeBSD.org
Sun Sep 8 01:58:03 UTC 2019
Author: cy
Date: Sun Sep 8 01:58:02 2019
New Revision: 352027
URL: https://svnweb.freebsd.org/changeset/base/352027
Log:
MFC r351889:
Bounds check again after advancing cp, otherwise we have a possible
heap buffer overflow. This was discovered by a Google fuzzer test.
This can lead to remote denial of service. User interaction and
execution privileges are not a prerequisite for exploitation.
Reported by: enh at Google, to FreeBSD by maya at NetBSD.org
Obtained from: enh at Google
See also: NetBSD ns_name.c r1.12
Reviewed by: delphij, ume
MFC after: 3 days
https://android-review.googlesource.com/c/platform/bionic/+/1093130
Differential Revision: https://reviews.freebsd.org/D21523
Modified:
stable/12/lib/libc/nameser/ns_name.c
Directory Properties:
stable/12/ (props changed)
Changes in other areas also in this revision:
Modified:
stable/11/lib/libc/nameser/ns_name.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/12/lib/libc/nameser/ns_name.c
==============================================================================
--- stable/12/lib/libc/nameser/ns_name.c Sat Sep 7 23:39:30 2019 (r352026)
+++ stable/12/lib/libc/nameser/ns_name.c Sun Sep 8 01:58:02 2019 (r352027)
@@ -684,7 +684,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
{
const u_char *cp;
u_int n;
- int l;
+ int l = 0;
cp = *ptrptr;
while (cp < eom && (n = *cp++) != 0) {
@@ -694,7 +694,7 @@ ns_name_skip(const u_char **ptrptr, const u_char *eom)
cp += n;
continue;
case NS_TYPE_ELT: /*%< EDNS0 extended label */
- if ((l = labellen(cp - 1)) < 0) {
+ if (cp < eom && (l = labellen(cp - 1)) < 0) {
errno = EMSGSIZE; /*%< XXX */
return (-1);
}
More information about the svn-src-stable-12
mailing list